Re: CERT: the letter from CERT to berkeley.edu admin
steve, like eric, i feel that cert is overstepping their charter by engaging in law enforcement activities. what's your feeling on the matter? don't you agree that this could jeopardize their ability to do the work they are chartered to do? Law enforcement? It's law enforcement if they do more than notify the owner of the site. Most such sites welcome the notifications *if* (and it's a big ``if'') their machines are being abused by outsiders. If CERT is going out and looking for pirated software, or if they try to take any action to enforce their notes -- then, I do agree with both of you; such actions are beyond their charter. (Though one can argue that clandestine distribution of malware would fall be an exception. I specify ``clandestine'' because one could entertain a reasonable suspicion that the motives of such distributors was not purely educational...) If you asked CERT to justify such notes, they'd probably quote the following text from their press release on ftp.cert.org: It will also serve as a focal point for the research community for identification and repair of security vulnerabilities, informal assessment of existing systems in the research community, improvement to emergency response capability, and user security awareness. ``User security awareness'' sounds about right. Look -- CERT did not demand that the ftp area be shut down, they did not threaten to cut the machine off from the Internet, they didn't (as far as I know) turn the note over to the FBI or the Secret Service, and they didn't mention PGP or ``dirty GIFs''. They simply *informed* the administrator, in a polite way, of information that that administrator probably wants to hear. (I've had occasion to notify various system administrators of the same sort of thing. They were all grateful for the report.) The overly-hasty response came from Eric's end. What the administrator's response should be if RSADSI sent a note about PGP is another matter. This is CERT, and they're talking about pirated software. --Steve Bellovin Disclaimer: I'm on friendly terms with CERT, and with a lot of the folks who work there. And -- as anyone who has read my papers knows -- I've sent in my share of incident and vulnerability reports.
....
If you asked CERT to justify such notes, they'd probably quote the following text from their press release on ftp.cert.org:
It will also serve as a focal point for the research community for identification and repair of security vulnerabilities, informal assessment of existing systems in the research community, improvement to emergency response capability, and user security awareness.
``User security awareness'' sounds about right.
.... Steve, I think CERT is off base with these notes. The problem, to my eyes, is not that they're notifying administrators of potential problems before they occur; that's all well and good, and probably easily within their charter. What I take issue with is the underhanded manner in which they seem to be doing it. According to the reports from soda and penet, the notes were not sent in response to any specific request from the sites in question, but rather on the inititate of someone at CERT itself or in response to some vague complaint from a third party. Furthermore, the notes were sent "above the heads" of the individual site adminstrators (perhaps to whoever is listed in the domain contact at the NIC), apparently causing bad feelings and misunderstanding in at least the two cases reported here. If they had sent mail to the postmasters at the individual sites saying "hey, did you know your machine has a writeable anonymous ftp directory?" that's one thing. I'd interpret that as a friendly and helpful gesture. Instead, the impression is one of, at best, unwelcome meddling, or, at worst, some kind of bizarre network-vigilantism. If they find something they don't like about one of my computers, who else are they going to send mail to? My boss? My mother? I should point out that I've delt with CERT myself a couple of years ago regarding an intruder on a machine I administered, and found them to be nothing but helpful and professional. Their assistance was, however, limited to reacting to specific problems that I asked them to help with. They never initiated any kind of audit of my site or did anything that would make me feel as if they were some kind of "net cop wannabes" who were "checking up" on my computers. I'd hate to see that image changing, because they have the potential to provide an increasingly valuable service as the internet grows. -matt
participants (2)
-
Matt Blaze -
smb@research.att.com